Public Vulnerability Disclosure Program

Introduction​

The Texas A&M University System is committed to ensuring the security of its members and the public by protecting their information. This program policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This program policy describes what systems and types of research are covered under this program, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems. We do not directly reward bounties for disclosing vulnerabilities, but certain vendor products may be bounty-eligible and you are encouraged to also report the vulnerability to the affected vendor(s).

Authorization​

If you make a good faith effort to comply with this program policy during your security research, we will consider your research to be authorized and we will work with you to understand and resolve the issue quickly. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this program policy, we will make this authorization known.

Guidelines​

Under this program policy, “research” means activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Do not submit a high volume of low-quality reports.
• Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test Methods​

The following test methods are not authorized:

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing

Scope​

This program applies to all internet-accessible systems or services that (1) do not require the use of a VPN or other gateway service to access, and (2) are under domains owned or operated by the Texas A&M University System.

Any service not expressly listed above, such as any connected services not hosted by the Texas A&M University System or services which require access from within a Texas A&M University System member network, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors (to include cloud service (SaaS/PaaS/IaaS) providers) fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at [email protected] before starting your research (or at the security contact for the service's domain name listed in the .edu WHOIS).

Disclosure and Remediation Timeline​

Time frames for mitigation development and the type and schedule of disclosure may be affected by various factors. Extenuating circumstances, such as active exploitation, threats of an especially serious nature, or situations that require changes to established standards may result in changes to the disclosure timeline. Other factors include, but are not limited to:

• whether the vulnerability has already been publicly disclosed, i.e. published by a researcher;
• potential impact to critical infrastructure, national security, or public health and safety;
• the availability of effective mitigations;
• vendor responsiveness and feasibility of developing an update or patch;
• vendor estimate of time required for customers to obtain, test and apply the patch.

The name and contact information of the vulnerability reporter will be provided to the affected vendors unless otherwise requested by the vulnerability reporter. The Texas A&M University System will make good-faith efforts to advise the vulnerability reporter of significant changes in the status of any vulnerability reported, without revealing information provided in confidence by the affected vendor(s) or service provider(s).

Affected vendors will be apprised of any publication plans shared by the vulnerability reporter.

Reporting a Vulnerability​

To report a vulnerability, please submit a vulnerability report. You may also contact Texas A&M University System Cybersecurity directly through the methods available on our contact page.